Adversaries using Stealc malware may exfiltrate sensitive data through unusual outbound traffic or unexpected data transfers, leveraging malicious URLs to establish command-and-control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate data exfiltration attempts early.
IOC Summary
Malware Family: Stealc Total IOCs: 2 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://5[.]252[.]177[.]67/bb7f17919d0a4d0aaf22.php | botnet_cc | 2026-05-05 | 100% |
| url | hxxp://45[.]131[.]214[.]189/6a4133a676c340b0b27b.php | botnet_cc | 2026-05-05 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Stealc
let malicious_urls = dynamic(["http://5.252.177.67/bb7f17919d0a4d0aaf22.php", "http://45.131.214.189/6a4133a676c340b0b27b.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Exfiltrating Logs
Description: A scheduled job using logrotate or rsyslog is configured to send system logs to a centralized log management system (e.g., Splunk or ELK stack) via HTTP.
Filter/Exclusion: Check for known log management IPs or domains in the allowed list, or filter by HTTP method (e.g., http.method = "POST" and http.url contains "log-management-domain.com").
Scenario: Admin Using PowerShell for System Monitoring
Description: An administrator is using PowerShell scripts (e.g., Get-EventLog, Get-WinEvent) to monitor system events and export them to a remote server for auditing purposes.
Filter/Exclusion: Filter by process name (process.name = "powershell.exe" and process.user = "admin_user") and check for known admin scripts or paths (e.g., script.path contains "C:\Windows\System32\WindowsPowerShell\v1.0\").
Scenario: Data Backup to Cloud Storage
Description: A backup process using rsync or aws s3 sync is transferring sensitive data to a secure cloud storage bucket (e.g., AWS S3 or Azure Blob Storage) for archival.
Filter/Exclusion: Filter by destination IP or domain (e.g., destination.ip contains "aws-s3-endpoint.com"), or check for known backup tools in the process name or command line.
Scenario: Remote Desktop Protocol (RDP) Session Data Transfer
Description: A user is using RDP to access a remote server and is transferring files via drag-and-drop or clipboard functionality, which may be flagged as data exfiltration.
Filter/Exclusion: Filter by process name (`process.name = “mstsc.exe”